Watch out for cracks in your audit coverage

By Richard P. Kozlow, principal, RPK Associates. Kozlow has over 30 years experience as an executive in leading financial services and public accounting firms, including several years as a Regional Audit Director with Citibank, responsible for Europe, the Middle East, and Africa. His consulting practice specializes in risk management, internal control, and related governance issues. [email protected]

Instances of fraud, losses from strategies gone wrong, poorly understood counterparty risk, involvement with corruption: the bad news seems to be coming from every direction. Coupled with the most severe recession that the banking industry has experienced since the 1930s, internal auditors and the Audit Committees that rely on them face difficult choices in the year ahead.

Perils of recessionary periods One of the greatest challenges confronting both an Audit Committee Chair and a Chief Audit Executive (CAE) is a dramatic, sudden need for the downsizing of a financial services organization.

On the one hand, they are faced with a need to cut expenses dedicated to the independent review and oversight of risk and control activities, in order to be “part of the team” at the bank. On the other hand, there is an obligation to assure that risk transparency and internal controls are functioning properly and not silently derailing the organization’s ability to survive.

I’ve been speaking to Audit Chairs, top Audit executives, and regulators in recent months, and some common areas of concern have come out of these conversations, as these groups watch the banking industry’s reactions to the current, steep recession.

A perspective on business risk There have been big changes in the risk landscape that financial institutions are facing and those changes continue to evolve, sometimes daily. There will be temptations at all levels of banking organizations to take bigger risks, in order to make up for revenue shortfalls. The huge recent Ponzi scheme masterminded by Bernard Madoff is only the most recent, extreme example of what can result from the uncontrolled desire to maintain earnings.

What does this imply for auditors? They will want to revisit standing risk assessments, with an eye towards short-term threats, including areas of the business that have been or are about to be downsized.

However, auditors will also be interested in something that is often overlooked: Determining what trigger mechanism management uses to judge when material changes in the firm’s risk profile have occurred.

An Audit Committee Chair interviewed for this article put it succinctly:

“I want to know what management is doing differently.”

Far too many firms go to great expense to develop risk assessments that then become static, instead of making ongoing updates a key part of management’s review process.

Assume that inherent risk has increased. This may mean that controls that were adequate until recently are no longer sufficient or appropriate.

The Audit Committee, charged with monitoring the firm’s financial health, will have a keen interest in hearing from management on how business leaders plan to stay on top of ongoing changes in risk, and the related monitoring and controls that flow from that. Underlying prudent management is the recognition that every forecast and its related business plans and controls are fundamentally assumptions, or bets about the future. The Audit Committee and the executive management team should have frank discussions about the support for assumptions underlying business plans and their odds of success.

Need for connective intelligence Management should include a comprehensive self-review of risks in any downsizing plan with particular attention paid to staff related impacts. Key personnel with difficult-to-replace intellectual capital and skill sets, or who are central to the administration of key controls, should be clearly identified.

This is a critical task. Here are just a few of the unintended consequences of a rapid downsizing:

1. Increased executive spread. Staff reductions may result in increased spans of control, concentrating authority in fewer hands, losing some of the checks and balances that were built in to the original organization 2. Loss of longstanding control practices. One example is vacation time. Vacations, required for financial and critical control personnel as part of the system of internal controls, may end up being deferred or cancelled altogether, as suboptimal staffs cope with increased workloads.

3. Incentive system vulnerabilities. Incentive pay structures that might afford opportunities to “game the system” in a stressed environment are an additional area of heightened risk during business slowdowns. Management will likely be realigning incentive compensation on short notice. For example, it may decide to refocus on deposit growth vs. loan growth. When often complex incentive plans are redrawn in haste, this creates the potential for errors in the plans design and controls.

These are just a few examples of why Internal Audit should be involved when downsizing begins. Audit can conduct a confidential, objective review of downsizing plans so as to provide reasonable assurance to executive management and the Audit Committee that reduction in force plans do not jeopardize the control environment.

Third-party risk exposures At the root of many financial firms’ writeoffs has been an unreasonably optimistic outlook on risk transferred to third parties, whether it was responsibility for processing or for assuming financial risks. These risk dependencies have grown increasingly difficult to estimate with any accuracy in the current environment, because, as current events have demonstrated, it is not just the direct relationships that are at risk, but the dependencies that third parties have with others all the way down the chain that have shown the ability to cripple an organization.

Each of these once- or more removed relationships, whether they involve vendors or financial counterparties, needs to be evaluated on an ongoing basis in terms of their potential to threaten the organization. This work is both forensic in nature and difficult to perform due to the confidentiality of relationships, as they become more remote from a financial firm.

However this is addressed, the Audit Committee should be comfortable with the approach that management chooses for assessing this sometimes opaque risk, where the line is drawn between additional time and money spent assessing risk, and the remaining exposure.

Using Audit resources wisely Frequent communication will help banks avoid audit gaps and missteps. Internal dialogue among Audit Committee chairs, Chief Audit Executives, and executive management will be especially critical in the coming months. The top audit executive is an objective set of eyes and ears, and can provide valuable insight into issues that don’t appear in formal reporting. Invariably, when management gets in crisis mode, Audit Committee Chairs are consumed by the demands put on them for board-related duties. Thus, they and the audit executives must make the time to speak formally and informally with each other.

Furthermore, access to the CEO is also critical to the audit executive doing his or her job effectively. Meetings don’t need to be formal or long. But they must be focused on an unvarnished sharing of insights about concerns on both sides.

Reviewing Audit Committee membership Finally, the makeup of the Audit Committee can be significant to its effectiveness. Changes in committee membership can be a logistical and political challenge. However, the committee chair will want to have the best representation of the myriad skills needed to properly critique the state of the firm’s risk and control environment, as well as key tactical and strategic decisions during a time of market stress.

The ability to understand complex valuations and transactions, as well as risk assessment and IT skills, are a few areas where a lack of sufficient experience can be a handicap. However, the unique nature of each firm’s business challenges is the key factor in determining what skills are critical.

The “two Cs” of Audit Once the Audit Committee and the Chief Audit Executive have a solid understanding of the business environment and its related risks, then it is time for the CAE to address what one Audit Committee Chair called the “Two C’s:” coverage and communication.

Coverage, in the current environment, remains a challenge. The audit department is faced with the prospect of having fewer resources to provide coverage in a significantly more difficult environment. The committee will want to hear a frank and honest assessment of what coverage will be impacted and how. Focusing Audit resources appropriately, based on a clear-eyed and well-informed assessment of enterprise risk, is the ultimate critical skill set for a CAE in times of business stress.